[quackquack147]

After pulling out my sim card from my Z10 and putting the iPhone 4S back into commission, seeing your post is like a breath of fresh air. All I can say is staying faithful with the work involved here is logical as an exploit will eventually be found on this device.

Let me know if you are looking for any test takers.

thanks for the inspiration. but its a painful work. because we have document for everything except for HS which is under NDA unless we have the HS document made available to us we will be shooting arrow in the dark. because we dont have the HS (high security) documents. how can you develop an exploit when you know nothing. which calls for reverse engineering. and it can be clean/dirty room work.
loads of ifs and butts..... and its stuck with one thing HS documents, which we dont have.
so finding a logic is going to be extremely tough. because you need to run a binary disassembly on the loader and then find the logic. like you need to use ada arm hf dissembler. :-D get the idea and its not a week or month job. may take a month or two provided some hardcore dedicated work is going on. wish rim also used a bootrom chip like apple. bastids didnt. hence we are out of luck as of now, but not for long. as from monday will start the dis-assembly work. because both cryptanalysis and bruteforce will take a long time.
test takers? welcome onboard. you can run the same work what we do. we will soon notify advancements. i met a few new chaps who are hardcore in electronics. i asked them for help. they agreed. thats the good news.
thanks
-paul

[quackquack147]

You have been granted access to the Project, QNX Operating System.

Visit the Project at foundry27 : Project Home

i got this as a mail reply when i requested access to QNX source. let the games begin!

FIGHT!
thanks
-paul

[Dr_Acula]

http://forums.crackberry.com/showthread.php?p=8693084

[quackquack147]

http://forums.crackberry.com/showthread.php?p=8693084

your battle : either root it or find an exploit and run android. thats where your battle ends.
my battle : rewrite the bootloader itself from scratch. :-D thus my battle starts where your battle ends.
its not against RIM, but its the thud punch to HS (high security).... aint easy.
which is why, this alliance forged. enemy of an enemy is a friend of yours.
besides you can have all the root and exploits and android you want. i need raw power i need unconditional access, so rooting is not my cup of tea. :-D
i.e. bootloader and nothing more. and next gsoc is may 2014. i got a plenty of time. but you are impatient. you need it fast. so i will try to unlock the code, cant promise how long it will take.
oh by the way enjoy the song ->
and those who wish to know cryptography and cryptanalysis? have a look here you will understand why is it so difficult to break this key
good luck!
thanks
-paul

[Dr_Acula]

your battle : either root it or find an exploit and run android. thats where your battle ends.
my battle : rewrite the bootloader itself from scratch. :-D thus my battle starts where your battle ends.
its not against RIM, but its the thud punch to HS (high security).... aint easy.
which is why, this alliance forged. enemy of an enemy is a friend of yours.
besides you can have all the root and exploits and android you want. i need raw power i need unconditional access, so rooting is not my cup of tea. :-D
i.e. bootloader and nothing more. and next gsoc is may 2014. i got a plenty of time. but you are impatient. you need it fast. so i will try to unlock the code, cant promise how long it will take.
oh by the way enjoy the song ->
thanks
-paul

U got me. Hahaha

[quackquack147]

U got me. Hahaha

the wicker man! :-D the lighter side of BS! ;-)
thanks
-paul
dont forget to check those cryptanalysis and cryptography stuffs. they are extremely extremely juicy and power packed punch. but then again with that much power comes even greater responsibility.
so try to be gentoo... else you will burn yourself with your own power.
thanks
-paul

[quackquack147]

adding more info.
OMAP4430_ES2.x_PUBLIC_TRM_vAE.pdf
pg 265 says it had 48 KB bootables rom.
and
pg 266 says L2 rom is only 16 KB
which mean the bootrom is either 48*8=384 kbits or 16*8=128 kbit.
why is this important?
L2 rom is the important one i will assume since it kicks off the second stage chain loader and the first stage loader
-rw-r--r-- 1 root root 20460 Jun 10 23:55 MLO
-rwxr-xr-x 1 root root 19940 Jun 10 23:55 x-load.bin
-rw-r--r-- 1 root root 20460 Jun 10 23:55 x-load.bin.ift
or ~ 20KB
lets assume its compressed and also strip command is issued with -O2 for gcc size optimization then it can fit in nicely within 16KB.
so the bootloader sits on L2 cache and its only 16K and its aided by a 64KB sram.
nice. getting close. i can smell it we are near the fresh meat. weeeee!
stay tuned for more findings. i like TI only for one thing. their docs are really really extensive and deep.
hence, conclusion is....
the bootloader which is MLO or x-loader.bin.ift which is compressed with lzma, which means it can be compressed even more and also the signature is padded in the first few blocks.
now comes a very important question. exactly how many bits/bytes are the signed pad.... i mean how many bits are padded as signature? if we know the length of that when cryptanalysis is much more easy to do.
now we know one thing. 3072 bit encryption cant reside on this.....
Key size - Wikipedia, the free encyclopedia
there is a ray of hope on this.....

One of the asymmetric algorithm types, elliptic curve cryptography, or ECC, appears to be secure with shorter keys than those needed by other asymmetric key algorithms. NIST guidelines state that ECC keys should be twice the length of equivalent strength symmetric key algorithms. So, for example, a 224-bit ECC key would have roughly the same strength as a 112-bit symmetric key. These estimates assume no major breakthroughs in solving the underlying mathematical problems that ECC is based on. A message encrypted with an elliptic key algorithm using a 109-bit long key has been broken by brute force.[8]

which means we can break the key.
i hope this is all the info you can digest for the day or rather i can read for now.
calling it a day.
thanks
-paul
p.s. but one more thing, look at page 265 there is a 48KB bootable rom i.e. 48*1024*8=393216 bits.
which is sufficient to hold the 3072 bit key + 20KB MLO/x-loader.bin.ift
which means we are in deep deep deep ...... sh!t.... if L1 cache is where bootrom resides. ;-) and cryptanalysis is next to impossible. ;-D
p.s. 2 there is more info i am adding. there is also L3 cache which has memory split like this. pg 271
L3 ocm ram, SAR ROM, SAR RAM & ocm ram is 56 KB.... 56 KB.... oh uh! bad news. and there is SAR (save and restore) ram which is 4KBand SAR RAM which goes for context saving which in offline mode. if my guess is right? this is the one (SAR RAM & SAR ROM) combination which does the hash and sign check.

[quackquack147]

bootrom signed is 128 KB and padded and compressed and stored in emmc, and its the gpmc 48 KB rom which loads this and signs and checks. atleast thats what pg 281 says.
hope this helps
thanks
-paul

[quackquack147]

WhiteSpir1t posted that via iOS apps we can control hardware directly. so this is also possible with bb native sdk or ndk, which is also confirmed by Nickstarmaster. now its a double confirmation. hope we find a buffer overflow or underrun for the HS registers. and then we will try to see if we can push an unsigned bootloader. bootloader is signed. and HS registers are controlled either via 16 KB rom or 48 KB rom or a 64 KB rom. we need to know the address base of these registers and then target an attack. else it will be a fruitless banana community mess aka bricked playbook. may be we can fork the bootloader.
synerworks also confirmed that there are traces which can/may be cut to get the raw cpu access. question is to cut which traces. its a booby trap.
loads of possibilities. we dont know whats what for sure.
thanks
-paul

[sev7en]

Hi just a question... how can I set the USB Debug Mode if when the device starts it looks directly for the firmware update?

@EDIT:


Here, it is the story...

[quackquack147]

Hi just a question... how can I set the USB Debug Mode if when the device starts it looks directly for the firmware update?

@EDIT:


Here, it is the story...

i got no idea how dingleberry works because i have never used it mate. we are taking a different approach. all outward/inward attack. which means we are smoking it up hot. there are other user who have tried it before and i am sure they are your best bet.
thanks
-paul

[Dr_Acula]

Hi just a question... how can I set the USB Debug Mode if when the device starts it looks directly for the firmware update?

@EDIT:


Here, it is the story...

Do u mean development mode.
Go to settings>sequrity>dev mode.

If u talk of adb logcat from android.
U can try ssh but then I don't know how to get the logs.

[quackquack147]

Do u mean development mode.
Go to settings>sequrity>dev mode.

If u talk of adb logcat from android.
U can try ssh but then I don't know how to get the logs.

there is no ssh server in blackberry playbook. and secondly i never used dingleberry so if you have used help him.
thanks
-paul

[sev7en]

Do u mean development mode.
Go to settings>sequrity>dev mode.

If u talk of adb logcat from android.
U can try ssh but then I don't know how to get the logs.

Hi,
thanks for you support but maybe I was not so clear: it's the first boot for my PlayBook. I never booted it early because if I complete the setup it wants to upgrade to latest OS.
I asking if there is a way to enable the Development Mode from that situation otherwise I have no way to make the rooting. Right?

[Dr_Acula]

Hi,
thanks for you support but maybe I was not so clear: it's the first boot for my PlayBook. I never booted it early because if I complete the setup it wants to upgrade to latest OS.
I asking if there is a way to enable the Development Mode from that situation otherwise I have no way to make the rooting. Right?

Y want to root?
CPF a rootable os the enable dev mode. :thumbup:

Oh,danm I want root too.

[quackquack147]

Hi,
thanks for you support but maybe I was not so clear: it's the first boot for my PlayBook. I never booted it early because if I complete the setup it wants to upgrade to latest OS.
I asking if there is a way to enable the Development Mode from that situation otherwise I have no way to make the rooting. Right?

i know this much what dr_akula said. you can use cfp to downgrade the OS and then root it and forget an upgrade, if you do you will loose root. i am taking a different approach. i am not rooting the device. i am trying to take ownership of the bootloader. if we do so then we never ever need to worry about rooting again in future.
this is why i never thought of rooting. because when there is a upgrade/update all rooting mechanisms dealt with too much force. i.e. you loose root and wait for someone else to root again.
thats why this approach.
thanks
-paul

[Dr_Acula]

i know this much what dr_akula said. you can use cfp to downgrade the OS and then root it and forget an upgrade, if you do you will loose root. i am taking a different approach. i am not rooting the device. i am trying to take ownership of the bootloader. if we do so then we never ever need to worry about rooting again in future.
this is why i never thought of rooting. because when there is a upgrade/update all rooting mechanisms dealt with too much force. i.e. you loose root and wait for someone else to root again.
thats why this approach.
thanks
-paul

We can keep root over ota.
It was somewhere in rooting forum.

[quackquack147]

We can keep root over ota.
It was somewhere in rooting forum.

fine enough. that i did not know. so you are saying root is preserved even after an upgrade?
thanks
-paul

[Dr_Acula]

fine enough. that i did not know. so you are saying root is preserved even after an upgrade?
thanks
-paul

One of them downgraded via force corruption.
Rooted
Made a script to preserved root.
Upgraded to latest os.

[quackquack147]

One of them downgraded via force corruption.
Rooted
Made a script to preserved root.
Upgraded to latest os.

yes you were reffering to it something like nvram corruption. i got the idea now.
thanks
-paul

[Dr_Acula]

Ssh thing.
Here it is http://forums.crackberry.com/showthread.php?t=640410

Not much u can do with it.
Everything is blocked.:banghead:

[Dr_Acula]

Root with ssh would have been great.

[quackquack147]

Ssh thing.
Here it is http://forums.crackberry.com/showthread.php?t=640410

Not much u can do with it.
Everything is blocked.:banghead:

i need some lowlevel access to the system. i need to extract a few vital info, for reverse engineering. this might help or give me a temporary window hole to get in/out with the intended information.
thanks
-paul

[sev7en]

Thanks to both ^_^ So I can make the update then later the downgrade? I am asking you that because since now I was thinking it is not possible... if so, let's upgrade :-)

Which one is for your the most reliable firmware for the downgrade? Did we have a also a packed CF for that?


Thanks

[Dr_Acula]

Thanks to both ^_^ So I can make the update then later the downgrade? I am asking you that because since now I was thinking it is not possible... if so, let's upgrade :-)

Which one is for your the most reliable firmware for the downgrade? Did we have a also a packed CF for that?


Thanks

Noooooooo
Root first